1dd788c0...ee50

VTI SCORE: 93/100

Target:

win10_64 | exe

Classification:

Riskware, Keylogger, Trojan

1dd788c038b4d8d2d3302d7a33162322d0896c7d17888e2fa34204b66c9aee50 (SHA256)

gabkrj.jpg.exe

Windows Exe (x86-32)

Created at 2018-04-03 14:29:00

Severity	Category	Operation	Classification
4/5	Masquerade	Uses a double file extension	Riskware
File "c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe:zone.identifier" has a double file extension. ... VTI Actions Go to Function Call
File "c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe" has a double file extension. ... VTI Actions Go to Function Call
3/5	Device	Monitors keyboard input	Keylogger
Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes. ... VTI Actions Go to Function Call
2/5	File System	Associated with suspicious files	Trojan
File "c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe" is a known suspicious file. ... VTI Actions Go to File Details
1/5	Process	Creates system object	-
Creates mutex with name "d6255d76-fd1b-49c2-b1bf-bb2df53c6c67". ... VTI Actions Go to Function Call
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to Function Call
1/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Function Call
1/5	Network	Performs DNS request	-
Resolves host name "LHnIwsj". ... VTI Actions Go to Function Call
Resolves host name "dankleo01.chickenkiller.com". ... VTI Actions Go to Function Call
Resolves host name "www.iptrackeronline.com". ... VTI Actions Go to Function Call
1/5	Persistence	Installs system startup script or application	-
Adds "\temp\tempgh.exe" to Windows startup via registry. ... VTI Actions Go to Function Call
Adds "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe" to Windows startup via registry. ... VTI Actions Go to Function Call
1/5	Injection	Modifies control flow of a process running from a created or modified executable	-
"c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe" alters context of "c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe" ... VTI Actions Go to Function Call
1/5	Network	Connects to remote host	-
Outgoing TCP connection to host "45.55.57.244:443". ... VTI Actions Go to Function Call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

After